Securing your site

From MODx Wiki
Jump to: navigation, search

Notice: Please do not follow the instructions below on securing your site if you are using MODx Evolution 1.0.0 due to incompatibility. Please refer to this document instead: http://svn.modxcms.com/docs/display/MODx096/Friendly+URL+Solutions

Contents

suPHP and PHPSuexec

Usually on most Apache servers, PHP runs as an Apache module. This means that it runs under the user nobody, but doesn't require the execute flag. Under this mode, files or directories that you want your PHP scripts to be able to write to need to have 777 permissions (eg. read/write/execute at user/group/world level). In order to execute a PHP file in this mode, it simply needs to be world readable.

The problem with this setup is that theorically this allows every other user on the same server to read your PHP files! Allowing other users to read your HTML files is fine, since that's what they are for, but PHP files are not meant to be readable, they are meant to be parsed.

Many scripts store for example a database username and password to the PHP file and so every client on that server could read your PHP files to retrieve your password and access your databases. This is clearly not very secure.

So what can be done? This is where systems like suPHP and PHPSuexec come into play. suPHP and PHPSuexec make PHP run as CGI under your own user/group level. This means that with suexec enabled your PHP scripts are executed under your user and you don't have to have your files and folders with 777 permissions anymore. In fact, If you use 777 permissions on your scripts or directories, they will not run and will instead cause a 500 internal server error when attempting to execute them. This is done to protect you from someone abusing your scripts.

When suPHP or PHPSuexec is enabled, your scripts can have a maximum of 644 permissions (ie. read/write by you, read by everyone else) and directories can have a maximum of 755 permissions (ie read/write/execute by you, read/execute by everyone else). So in summary, PHP running as CGI/suexec is much more secure than the older Apache module method.


Testing

I added this section because you'll want ways to verify MODx's behavior before and after making such a big change.


Changing MODx's Handling of File Permissions

This section is for versions of MODx prior to MODx 1.0.
If you are running an older version, you should really update to the current MODx 1.x version.
Due to incompatibility do not implement the following instructions if your version of MODx is Evolution 1.0.0 or higher

For this to work, you must make some modifications to the MODx code. WARNING: this involves changing files! Be SURE to back up every page you plan to alter!

Changing File Permissions

In the installation guide the folder permissions are advised to set to 666 or 777. So change the permissions to the following:

  1. /assets/cache folder to 700
  2. all files inside /assets/cache folder to 600, except index.html
  3. /assets/export folder to 755
  4. /assets/images folder to 755
  5. /manager/includes/config.inc.php to 600 (after installation has finished)

MODx also currently has hardcoded permissions set 666 or 777 to files that are uploaded through the file managers. To make the suite for suPHP and PHPSuexec, you need to do the following edits (patch file against rev 1630 can be downloaded [here]):


manager/actions/files.dynamic.php

Perform a search and replace:

original:

$newfolderaccessmode = 0777

to:

$newfolderaccessmode = 0755

original:

@chmod($_POST['path']."/".$userfile['name'], 0777);

to:

@chmod($_POST['path']."/".$userfile['name'], 0644);

manager/media/browser/mcpuk/connectors/php/Auth/Default.php

Perform a search and replace:

original:
mkdir($top,0777) or die("users folder in UserFilesPath does not exist and could not be created.");
chmod($top,0777);
to:
mkdir($top,0755) or die("users folder in UserFilesPath does not exist and could not be created.");
chmod($top,0755);
original:
mkdir($up,0777) or die("users/".$decArray[2]." folder in UserFilesPath does not exist and could not be created.");
chmod($up,0777); //Just for good measure
to:
mkdir($up,0755) or die("users/".$decArray[2]." folder in UserFilesPath does not exist and could not be created.");
chmod($up,0755); //Just for good measure
original:
mkdir("$up/$value",0777) or die("users/".$decArray[2]."/$value folder in UserFilesPath does not exist and could not be created.");
chmod("$up/$value",0777); //Just for good measure
to:
mkdir("$up/$value",0755) or die("users/".$decArray[2]."/$value folder in UserFilesPath does not exist and could not be created.");
chmod("$up/$value",0755); //Just for good measure

manager/media/browser/mcpuk/connectors/php/Commands/CreateFolder.php

Perform a search and replace:

original:

if (mkdir($newdir,0777)) {

to:

if (mkdir($newdir,0755)) {

manager/media/browser/mcpuk/connectors/php/Commands/FileUpload.php

Perform a search and replace:

original (Note: all 2 occures!):

chmod(($this->real_cwd."/$filename($i).$ext"),0777);

to:

chmod(($this->real_cwd."/$filename($i).$ext"),0644);

original (Note: all 2 occures!):

chmod(($this->real_cwd."/$filename.$ext"),0777);

to:

chmod(($this->real_cwd."/$filename.$ext"),0644);

manager/media/browser/mcpuk/connectors/php/Commands/Thumbnail.php

Perform a search and replace:

original (Note: all 3 occures!):

chmod($thumbfile,0777);

to:

chmod($thumbfile,0644);

manager/media/ImageEditor/Classes/Files.php

Perform a search and replace:

original:

mkdir ($newFolder, 0777);
return chmod($newFolder, 0777);

to:

mkdir ($newFolder, 0755);
return chmod($newFolder, 0755);

Implementing tighter security for Modx Evolution Evolution 1.0.0

Please refer to the following links on Modx’s official forum. The needed amendments to your .htaccess file to protect your site against malicious scripts can be found in the first post in the following thread:

go to thread


Additional security programmes

* Browser Addons

Firefox

  1. CSRF Protector 0.2- This is not compatible with the latest Firefox 3.5
This extension protects users from certain types of CSRF attacks by stripping cookies from cross-domain POST requests.
get add on

* SSL Certificate switch

  1. SSL 1.0-GA
For sites using a SSL certificate, these plugins manage switching between pages that you want to serve securely with https:// and other pages that you want to serve as http://.
get application

* Password Safes

  1. KeePass Password Safe
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way.
get application


* Password Safes

  1. EForm
eForm is a highly flexible form parser snippet that will let you convert web forms into an email which can then be sent via email to users you can specify in the snippet or the form. Please see the wiki page dedicated specifically to EForm:
go to wiki page and get application


Here are some other security applications you can try. Also, please see the full list of extras for the Modx CMS.

Troubleshooting

When accessing my site, I get internal server errors. Try the following to resolve issue:

  • Check that the php script that you are attempting to execute does not have permissions over 755 - 644
  • Check that the directory where the script is in does not have permissions over 755. This also goes for any directory that the script would need to have access to.
  • Check that the scripts are owned by you.
  • Check that any lines starting with php_ in your .htaccess file are commented out.
Personal tools